The data protection implications of giving references

The law around references is complex, particularly after the implementation of the GDPR. Holly Cudbill demystifies it for employers

An employer is not generally obliged to provide a reference and many simply offer a basic factual reference. In certain sectors, they are obligatory, for example:

  • the financial services industry (organisations regulated by the Financial Conduct Authority and the Prudential Regulation Authority, and where the Senior Managers and Certification Regime applies). Very detailed information must be given;
  • the care sector, where there are specific guidelines concerning references, particularly where safeguarding legislation applies. 

Otherwise, an employer can choose to provide a full reference, as long as it is fair, accurate and true and does not paint a misleading picture. A consistent approach must be adopted for all staff to avoid potential discrimination.

Employers should specifically check before giving a reference that the employee or former employee is happy for the reference to be given, as it will involve the disclosure of personal data and potentially ‘special categories’ of personal data. 

In the employment relationship, consent is not usually a valid reason for processing personal data, due to the imbalance of power between an employer and employee.   

This was recently confirmed by a judgment of the Greek Data Protection Authority, which fined PwC €150,000 for relying on employees' consent. However, as giving information under a reference is made at the specific request of the employee, the lawful ground for providing personal data and special categories of personal data in a reference is likely to be consent (explicit consent for special categories). 

Sometimes, the employer will be able to rely on other lawful grounds, such as a legal obligation (for example, in a regulated sector); contractual obligation (in a settlement agreement); or potentially ‘legitimate interests’ (with the required safeguards); or, in the case of special categories, substantial public interest conditions. The employee should still be informed and told the lawful reason if it is not consent. It is good practice to cover references in your staff privacy notice. 

Receiving references

Many employers forget they will be processing the personal data of referees simply by receiving names and addresses, requiring the employer to provide referees with mandatory information on what personal data is held and how it is handled (a mini privacy notice). 

A practical answer is not to ask for referee information prior to interview or job offer stage. If an applicant provides referee details before this (for example, in a CV), the employer should delete it and explain to the applicant that it will only be required later on. 

When requesting a reference from an individual, the mandatory information can then be provided, or the employer could simply direct it to the HR department to avoid holding an individual referee's personal data.

Disclosing references

Under the Data Protection Act 2018, there is a general exemption regarding confidential references if a subject access request is made. Previously, the exemption was only for the organisation which gave the reference. That exemption did not apply once it was received by another person or organisation, so individuals could access it from a prospective employer. 

Now both the giver and recipient can refuse to provide personal data consisting of a reference given in confidence for the purposes of the actual or prospective education, training or employment of the data subject.

Holly Cudbill is an associate in the employment team at Blake Morgan